Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 pypi packages depend on snorkel (4 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.10.0.
DescriptionCVE.org
The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.
AnalysisAI
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Technical ContextAI
Snorkel is a Python framework for programmatic data labeling and weak supervision in machine learning pipelines. The vulnerability resides in the interaction between Snorkel's Trainer class and PyTorch's checkpoint loading mechanism. PyTorch's torch.load() function uses Python's Pickle protocol for serialization, which can execute arbitrary code during deserialization. While PyTorch introduced the weights_only=True parameter to restrict deserialization to tensor data only, Snorkel v0.10.0 and earlier versions call torch.load() with default settings that permit full object deserialization. This creates a CWE-502 (Deserialization of Untrusted Data) vulnerability where any Python object-including those with __reduce__ methods that execute system commands-can be embedded in a model file and triggered when loaded.
RemediationAI
Upgrade to Snorkel versions newer than v0.10.0 when a patched release becomes available; monitor the official GitHub repository (https://github.com/snorkel-team/snorkel) and PyPI package updates for security releases addressing CVE-2026-31222. No vendor-released patch version is independently confirmed from available data at time of analysis. As interim compensating controls: restrict Trainer.load() usage to checkpoint files from trusted, verified sources only; implement file integrity verification using cryptographic signatures or hashes before loading any model checkpoints; apply filesystem permissions to prevent unauthorized modification of checkpoint directories; deploy application sandboxing (containers, VMs with limited privileges) to contain potential code execution if malicious models are loaded; consider patching the local Snorkel installation by modifying Trainer.load() to call torch.load() with weights_only=True, though this may break legitimate functionality if checkpoints contain non-tensor objects. Network-based controls are ineffective as exploitation occurs during local file processing. Organizations not loading third-party or user-supplied checkpoint files face minimal risk and may defer patching until operational updates.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29506
GHSA-78cp-f66x-qmh5